I forgot to add that in all this big design (probably this will clarify all), Kerberos will continue to exist in your AD Domain, it is just one of the two authentication types you will have to use authentication in windows (Kerberos or NTLM, Kerberos is what Microsoft Suggest to use, also for performance reasons), SPNEGO will be used to retrieve credentials from the Windows machine, and they will be passed automatically to CAS, which will be able to connect to AD (using an LDAP client, so che AD is considered an Authentication Provider), check authentication is still valid, retrieve your attributes (if any is needed by the application), check if that service you are going to be redirected is "CAS Enabled", in the case everything is positive, will redirect you to the service adding information about your UserID and eventually attributes. By the way, obviously if are already logged in and you move to another Web Site, no need to check credentials, the web site will redirect you to CAS, the CAS system will give you back just another ticket in which is saved the information that you have been already logged in via CAS, and that you are granted to access to the other service, all these operations will be transparent to you and to final user, which is exactly what you need to have. Anyway to implement the first test it took three days for mee, but not get confused by all the terms, CAS is simple, reliable and very elegant in the way it works, it is just a matter to have some building blocks, in particular an Authentication Provider (AD), a store where we map available and enabled services (we have oracle DB, but we could have nothing), the CAS server, the client installed on the web site (usually an httpModule or filter on a Web App).
Let me know if you want to have more information. Stefano -----Original Message----- From: Pasi Kallioniemi [mailto:pasi.kallioni...@ipss.fi] Sent: Tuesday, 01 June, 2010 14:16 To: cas-user@lists.jasig.org Subject: [cas-user] CAS and autoauthentication (with AD) Hello all, this maybe a newbie question but I have hard time finding a solution for our scenario. Maybe someone here has pointers on is this possible to accomplish with CAS (or am I totally lost :) ): Scenario: - We have an user logged in company Active Directory network - The company has multiple web systems to a be added under SSO. - As the user is logged into his machine (and is authenticated to company Infra network), the user would not want to input again username/password to ANY login page. - Insted the user would like to point his/her browser to some address and get inside the system he wants. - The authentication would be done automatically against the users browser. We have accomplished the previous example for one system by doing some windows integrated authentication (with IIS+windows authentication+IE), but would like to have a more general way to have n-systems (on java&.net platform) working like this. Perhaps one possibility is to use CAS? Questions: - If I have understood correctly in the wiki, CAS can be integrated with for example for authenticating against AD, or some other source. So adding n-systems under SSO and authenticate users against AD would be ok with a single login page. - But is it necessary always to have the CAS login page? Is it possible to configure CAS to autoauthenticate user browser against AD? So the user logged inside AD would point browser to "https://caslogin.intra/?service=https://other_server/application1" and cas would authenticate the user and redirect to the actual application. If this scenario is possible with CAS, what would be the configuration? I'm a little bit lost with the need for such protocols as SPNEGO and Kerberos (when would you use spnego or kerberos?). I hope that I was not too confusing with this question, and thank you for any input. Best Regards, Pasi -- You are currently subscribed to cas-user@lists.jasig.org as: stefano.bra...@eurac.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user